STIX Phishing Indicator Example Indicators - Phishing "US-China" Phishing Indicator Malicious E-mail This is a cyber threat indicator for instances of "US-China" phishing attempts. 2012-12-01T09:30:47Z 2013-02-01T09:30:47Z @state.gov pdf 87022 MD5 cf2b3ad32a8a4cfb05e9dfc45875bd70 Contains Phishing Remedy Email Block Redirect and quarantine new matching email Prevent future instances of similar phishing attempts from reaching targeted recipients in order to eliminate possibility of compromise from targeted recipient falling for phishing lure. Remedy Web Link Block Block malicous links on web proxies Prevent execution/navigation to known malicious web URLs. Remedy Domain Traffic Block Block traffic to/from malicous domains via firewalls and DNS servers. Prevent any traffic (potentially containing malicious logic, data exfil, C2, etc.) to or from known malicious domains. Response Malicous Email Cleanup Remove existing matching email from the mail servers Cleanup any known malicious emails from mail servers (potentially in Inboxes, Sent folders, Deleted folders, etc.) to prevent any future exploitation from those particular emails. Response Phishing Target Identification Review mail logs to identify other targeted recipients Identify all targeted victims of a particular phishing campaign in order to enable notification and to support more strategic cyber threat intelligence activities (TTP characterization, Campaign analysis, ThreatActor attribution, etc.). Response Phishing Target Notification Notify targeted recipients Notify all targeted victims of a particular phishing campaign to ensure they are aware they have been targeted and to help them understand how to avoid falling for phishing attacks. Response Super Secret Proprietary Response Carry out some sensitive action that is applicable only within the environment of the affected organization. ancestor-or-self::stix:Indicator//node() ancestor-or-self::stix:Indicator//indicator:SuggestedCOAs/indicator:SuggestedCOA/stixCommon:Course_Of_Action[@id="example:COA-e46d2565-754e-4ac3-9f44-2de1bfb1e71d"] High MITRE MITRE MITRE 2012-12-01T09:30:47Z